Protecting Data in the Federal Government

By Cynthia Leonard —
April 12, 2017

Our world runs on data. From consumer information (health files, banking and financial data, education records, and more) to research findings and classified national security information, we generate an ever-increasing volume of critical, sensitive data. Criminals target much of this information, and cyber-attacks against enterprises and governments globally continue to grow in frequency and severity.

The government challenges
Government customers have some of the same challenges faced by private sector corporations, including:

The exponential growth of high-value and personally identifiable information from citizens, employees, and anyone with any business with the government.

The difficulty of adding security to legacy applications and platforms with limited native data security options.

Gaps in data protection from the over-reliance on data-at-rest, network and endpoint security.

The need to leverage rich data for analytics and share data between agencies and with contractors.

Compliance with privacy and data protection legislation such as GDPR, HIPPA.

The need to adopt innovations such as cloud and IoT.

In addition, governments have to deal with unique challenges, such as espionage, well-funded attacks by nation-states and insider leakage that compound the threat environment and make government challenges even more demanding and urgent.

HPE SecureData provides an end-to-end data-centric approach to enterprise data protection. It is the only comprehensive data protection platform that enables you to protect data over its entire lifecycle—from the point at which it’s captured, throughout its movement across your extended enterprise, all without exposing live information to high-risk, high-threat environments.

A comprehensive approach to end-to-end encryption
HPE SecureData with Hyper FPE has the ability to “de-identify” virtually unlimited data types, from sensitive personally identifiable information (PII), to IDs, health information or classified data, rendering it useless to attackers in the event of a security breach. This allows government agencies to securely leverage the de-identified data for big-data analytics, and collaborate with shared data between other agencies or contractors. It also provides accelerated encryption speeds that enables government agencies to adopt new technologies such as the cloud or Hadoop or invest in innovations such as IoT, all while lowering the risk of disclosing sensitive personal data or compromising high value data.

A major challenge faced by federal agencies, including those attacked by nation state adversaries, is the dependency on legacy applications and platforms with limited native data security options. HPE SecureData helps build data security into both new and decades-old legacy applications, de-identifying high-value data classes; for example, protecting classified information, or eliminating reliance on using Social Security Numbers for business processes. Security assurance is increased, while unleashing utility of data for secure adoption of big data analytics, Hadoop and other new applications and solutions.

HPE SecureData is the first data protection platform to earn FIPS 140-2 validation of its Format-Preserving Encryption (FPE) technology under the new National Institute of Standards and Technology’s (NIST) AES FFX Format-Preserving Encryption (FPE) mode standard. This enables public sector customers, when operating in strict FIPS mode, to take advantage of true FIPS-validated cryptography and build compliance programs for regulations such as the Cybersecurity Act of 2015 data security requirements, DFARS CUI, and General Data Protection Regulations (GDPR).

With the HPE SecureData FIPS validation, government agencies and contractors can now use a standardized data security product with extensive enterprise deployments, neutralizing data breaches while liberating analytics and innovation.

Hyper FPE: encryption and masking—how we do it
Traditional encryption approaches, such as AES CBC have enormous impact on data structures, schemas, and applications as shown in Figure 1. Hyper FPE is NIST-standard using FF1 mode of the Advanced Encryption Standard (AES) algorithm, which encrypts sensitive data while preserving its original format without sacrificing encryption strength. Structured data, such as Social Security, Tax ID, credit card, account, date of birth, salary fields, or email addresses can be encrypted in place.

Traditional encryption methods significantly alter the original format of data. For example, a 16-digit credit card number encrypted with AES produces a long alphanumeric string. As a result, database schema changes are required to facilitate this incompatible format. Hyper FPE maintains the format of the data being encrypted so no database schema changes and minimal application changes are required—in many cases only the trusted applications that need to see the clear data need a single line of code. Tools for bulk encryption facilitate rapid de-identification of large amounts of sensitive data in files and databases. Typically, whole systems can be rapidly protected in just days at a significantly reduced cost. In fact, Hyper FPE allows accelerated encryption performance aligning to the high volume needs of next generation Big Data, cloud and Internet of Things, and supports virtually unlimited data types.

Hyper FPE de-identifies production data and creates structurally valid test data so developers or users can perform QA or conduct data analysis—all without exposing sensitive data. The HPE SecureData management console enables easy control of policy and provides audit capabilities across the data life cycle—even across thousands of systems protected by HPE SecureData. Hyper FPE also provides the option to integrate access policy information in the cipher text, providing true data-centric protection where the data policy travels with the data itself.

Eliminating the need for a key database, as well as the corresponding hardware, software and IT processes required to protect the database continuously or the need to replicate or backup keys from site to site.

Maximizing the re-use of access policy infrastructure by integrating easily with identity and access management frameworks and dynamically enforcing data-level access to data fields or partial fields, by policy, as roles change.

Hyper SST (Secure Stateless Tokenization)
Hyper SST is an advanced, patented, data security solution that provides enterprises, merchants, and payment processors with a new approach to help assure protection for payment card data. Hyper SST is offered as part of the HPE SecureData platform that unites market-leading encryption, tokenization, data masking, and key management to protect sensitive information in a single comprehensive solution.

Hyper SST is “stateless” because it eliminates the token database, which is central to other tokenization solutions, and removes the need for storage of cardholder or other sensitive data. Hyper SST uses a set of static, pre-generated tables containing random numbers created using a FIPS random number generator. These static tables reside on virtual “appliances”—commodity servers—and are used to consistently produce a unique, random token for each clear text Primary Account Number (PAN) input, resulting in a token that has no relationship to the original PAN. No token database is required with Hyper SST, thus improving the speed, scalability, security, and manageability of the tokenization process. In fact, Hyper SST effectively surpasses the existing “high-octane” SST tokenization performance.

Find out more about our solutions for Government entities at our new website: